In the next step we have to configure pam to use the eCryptfs and pam_mount at login time. To do that we have to add some lines to the '/etc/pam.d/system-auth' file. Pleas take care about the order of the entries!

+

+

{{File| /etc/pam.d/system-auth|<pre class="clear">[...]

+

auth required pam_unix.so [...]

+

auth optional pam_ecryptfs.so unwrap

+

auth optional pam_permit.so

+

auth optional pam_mount.so

+

+

[...]

+

+

password required pam_unix.so [...]

+

password optional pam_ecryptfs.so

+

+

[...]

+

session required pam_unix.so

+

[...]

+

session optional pam_mount.so</pre>}}

+

+

Now we have to configure pam_mount to auto mount our encrypted directory. First we have to add the 'luserconf' parameter in order to tell pam_mount to use user defined configuration files which can be found at the root of their home directory. Second we will have to define the mount command that is used for lclmount. A typical pam_mount.conf.xml can look like this:

We are almost ready. Now just we have to decide in which way we let the common user mount a file system. Normally only root can mount hence under this conditions we would get a permission error. One way would be to make the mount command suid root. But I dont prefer this approach since I consider it a security risk. Another approach would be to use sudo and define the lclmount command in the /etc/security/pam_mount.conf.xml. The approach I use is simply an entry in the /etc/fstab with user flag to allow the user to mount his file system.

+

+

We remember the /root/ecryptfs_mount_options_<username> that we created before. Now we are gonna need it. The content of this file should look something like:

Now we have to change this line in order to fit the fstab syntax and we also have to add the user and noauto option. If you want to execute files in your home directory you may also add the exec option. So our final entry in /etc/fstab should look like this:

Revision as of 21:45, 18 February 2013

Contents

Summary

eCryptfs is a file system that lets you encrypt files and folders. The main advantage of eCryptfs is that you dont have to encrypt whole partitions. You can instead define a folder on the local file system to be mounted with the eCryptfs file system. All data stored in a folder that is mounted with eCryptfs is gonna be encrypted immediately.

Creating a private folder using eCryptfs

Here I will describe how to create a private (encrypted) folder within your $HOME directory. To start we will need to install the 'ecryptfs-utils' package.

# equo install ecryptfs-utils

eCryptfs comes with predefined scripts to setup a private directory. Prerequisit is, that the group 'ecryptfs' is defined and the user who executes the script is a member of this group.

# groupadd ecryptfs

# usermod -G ecryptfs <username>

After this is done we can run the setup script as user:

$ ecryptfs-setup-private

The output should be looking like this:

Enter your login passphrase [<username>]:
Enter your mount passphrase [leave blank to generate one]:
************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************
Done configuring.
Testing mount/write/umount/read...
Inserted auth tok with sig [e92ed746d5b6af67] into the user session keyring
Inserted auth tok with sig [e5194342fe7d8bf5] into the user session keyring
Inserted auth tok with sig [e92ed332d5b6af67] into the user session keyring
Inserted auth tok with sig [e5948744fe7d8bf5] into the user session keyring
Testing succeeded.
Logout, and log back in to begin using your encrypted directory.

After the setup has completet sucessfully you will find the new direcrories '.Private' and 'Private' in your $HOME. The '.Private' directory contains the encrypted files and is mounted into the 'Private' directory. The setup script creates a shortcut to mount the '.Private' directory and a README file. If this files are present it indicates that the encrypted directory is not mounted yet. So we will have to mount it before we can store our files encrypted. To do that we execute the follwing command:

$ ecryptfs-mount-private

Now all the files and folders we create in the 'Private' folder are gonna be encrypted immediately.

You can put the 'ecryptfs-mount-private' to your autostart options in order that the private folder gets mounted on login. In some cases it is necessary to make the script: '/usr/bin/ecryptfs-mount-private' suid root in order to be able to mount the private folder as normal user.

Encrypt the whole $HOME directory using ecryptfs

Encrypting the home directory of a user requires a bit more of manual work. First backup the home directory of the target user:

# cp -r /home/<username> /home/<username>_backup

Now we are going to create the encrypted folder that is going to be mounted in the users home directory.

First eCryptfs asks you for a passphrase for the encrypted file system. Enter a secure password there! Next you are asked about your encryption preferences. NOTE: if you want to enable filname encryption please have in mind, that it can cause problems if you are using long file names. At the first mount a warning is shown that the current signatur cannot be found in the actual signature store. Answer both questions with yes in order to add the current signature!

Next we have to store the mount information into a file since we may need it for auto mount purpose:

# mount | grep ecryptfs > /root/ecryptfs_mount_options_<username>

At this point we are done with the preparation of the encrypted folder. The next step is to automatically mount the encrypted folder at login time. But first we have to unmount the encrypted folder.

# umount /home/<username>

Auto mount the encrypted $HOME using PAM_MOUN

In order to use our encrypted home folder we have to mount it at login time. To do that we are going to use the pam_mount package.

# equo install pam_mount

Next we copy the signature store to the unmounted user home. Please make sure, that the encrypted folder is not mounted at this time!

# cp -r /root/.ecryptfs /home/<username>

To avoid that eCryptfs will ask for the password at each login we will wrap the passphrase with the login passphrase of the user.

The program will ask you first for the passphrase of the eCryptfs-mount and then for a wrapping passphrase. We will use the login password as wrapping passphrase.

Now we create an auto mount file in the .ecryptfs directory of the user.

# touch /home/<username>/.ecryptfs/auto-mount

And of course we have to make sure, that the user is the owner of its .ecryptfs directory.

# chmod -R <username>:<username> /home/<username>/.ecryptfs

In the next step we have to configure pam to use the eCryptfs and pam_mount at login time. To do that we have to add some lines to the '/etc/pam.d/system-auth' file. Pleas take care about the order of the entries!

Now we have to configure pam_mount to auto mount our encrypted directory. First we have to add the 'luserconf' parameter in order to tell pam_mount to use user defined configuration files which can be found at the root of their home directory. Second we will have to define the mount command that is used for lclmount. A typical pam_mount.conf.xml can look like this:

We are almost ready. Now just we have to decide in which way we let the common user mount a file system. Normally only root can mount hence under this conditions we would get a permission error. One way would be to make the mount command suid root. But I dont prefer this approach since I consider it a security risk. Another approach would be to use sudo and define the lclmount command in the /etc/security/pam_mount.conf.xml. The approach I use is simply an entry in the /etc/fstab with user flag to allow the user to mount his file system.

We remember the /root/ecryptfs_mount_options_<username> that we created before. Now we are gonna need it. The content of this file should look something like:

Now we have to change this line in order to fit the fstab syntax and we also have to add the user and noauto option. If you want to execute files in your home directory you may also add the exec option. So our final entry in /etc/fstab should look like this: